I reviewed volume-key version 0.3.9-3 as checked into bionic. This should
not be considered a full security audit but rather a quick gauge of
maintainability.

- No CVEs in our database.
- volume-key's main purpose is to provide some key escrow capabilities for
  encrypted storage

- Build-Depends: debhelper, libglib2.0-dev, libcryptsetup-dev,
  libnss3-dev, libgpgme11-dev, libblkid-dev, swig, python-dev,
  libnss3-tools
- Does not daemonize
- No networking
- Does Cryptography
- No pre/post inst/rm
- No init scripts
- No systemd unit files
- No dbus services
- No setuid files
- volume_key in PATH
- No sudo fragments
- No udev rules
- There is a test suite but it doesn't appear useful as a quality tool
- No cron jobs
- Some warnings in the build logs, not ideal

- No subprocesses spawned
- I found some probable errors in memory management, but mostly good:
  - kmip_decode_object_symmetric_key() return -1 case leaks res?
  - kmip_decode_key_value() default: case leaks res?
  - kmip_decode_object_secret_data() return -1 case leaks res?
- Files opened are controlled by the user
- Logging looked careful
- No privileged operations
- Extensive cryptographic operations
- No networking
- No privileged portions of code
- No temp files
- No WebKit
- No JavaScript
- Clean cppcheck
- No PolicyKit

I don't like promoting this package to main already. The tests shouldn't
be failing in a brand-new project. The fact that nss's certutil's use of
UpdateRNG() does a bunch of garbage with the terminal and prints lies
about what it is doing suggests that certutil itself is not suitable for
use by this project:

https://sources.debian.org/src/nss/2:3.35-2/nss/cmd/certutil/keystuff.c/?hl=67#L67

I'd be much happier promoting volume-key for 18.10.

However, we've already gotten complaints from our users that their
encrypted storage no longer works because the old mechanism has apparently
already been torn down.

If there's no way to bring back the old mechanism, then..

Security team begrudging ACK for promoting volume-key to main. But I'd be
happier if we could just bring back what used to work.

Thanks


** Changed in: volume-key (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
Desktop Bugs, which is subscribed to volume-key in Ubuntu.
https://bugs.launchpad.net/bugs/1754422

Title:
  [MIR] volume-key

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/volume-key/+bug/1754422/+subscriptions

-- 
desktop-bugs mailing list
desktop-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/desktop-bugs

Reply via email to